1 PKI Update September 2002 CSG Meeting Jim Jokl
2 Public Key Infrastructure Basis - a pair of cryptographically related keys are generated –Your public and private keys Usage –Data encrypted using a public key can only be decrypted with the matching private key –Data signed by a private key can only be verified by the matching public key
3 Public Key Infrastructure: Digital Certificates A certificate is: –An object signed by a Certification Authority (CA) –Binds a user’s identity to their public key –Contains some attributes about the person –Contains some information about the CA Level of assurance –How well did the CA identify the person? –How is the CA run? –Who vouches for the CA?
4 Public Key Infrastructure: Policy and Practices How is the CA run? –Certification Policy & Practices documents –Registration Authority (RA) operation Who vouches for the CA? –Relying parties –Trust hierarchies –Certificate chains and root certificates
5 Some reasons campuses are deploying PKI Authentication –Client certificates for Web application authentication –VPN authentication & EAP-TLS for wireless –Higher assurance / two-factor authentication Digital signatures & business applications Signed and encrypted - S/MIME SSL server certificates etc
6 Higher Education PKI Activities - HEPKI Sponsors –Internet2, EDUCAUSE, CREN, HEPKI - Technical Activities Group (TAG) –Open-source PKI software –Certificate profiles –Directory / PKI interaction –Validity periods –Client customization issues –Mobility –Inter-institution test projects –Technical issues with cross-certification
7 Some Drivers for Campus S/MIME Support Prevent spoofing –Problems with forged –Students canceling classes, impersonating professors, etc –Official announcements –Anti-spam filter bypass? Business processes –Protect sensitive messages & documents –Signed messages –S/MIME-based applications
8 S/MIME Project –Two project phases: User to user Application-to-user, user-to-application –Client interoperability testing Common signing and encryption algorithms Dual-key support LDAP support –Issues documentation Mailing list software, encryption: folders, escrow, cc: repository
9 Some Potential S/MIME Applications –Mailing lists: access and expansion of encrypted messages –Travel expense reports & direct deposit notification –Online forms routing – signed workflow –Trouble ticket submissions –Password resets –Library notices – guard circulation data –Timesheet submission –Student debit card & long distance billing privacy –FERPA opt-in/opt-out –Sysadmin confirmation of batch jobs
10 Certificate Profiles A per-field description of certificate content –Standard and extension fields –Criticality flags –Syntax of values permitted per field Spreadsheet & text formats Higher education profile repository –
11 PKI-lite Full function but lightweight A normal PKI technical infrastructure Authenticate users Issue certificates, perhaps revoke certificates A comparatively simple certificate profile Support applications, directories, etc A lightweight administrative/policy structure Supports applications without high assurance needs One or two page certification policy Assurance levels per existing campus practice Campus evolution towards full featured PKI
12 PKI-lite Project Status PKI-lite certificate profiles completed –Designed to support web authentication & S/MIME –End Entity profile –CA certificate profile PKI-lite Policy and Practices Statement –Individual documents prepared – then merged –Reviewed by many people –Template-based fill in the blanks approach Certificate repository started
13 Some other work in progress Hardware tokens –Mobility –Private key protection –Two-factor authentication Signing tools –Web & client-based –The active content problem Other items –Root cert downloads, PKI in XP, docs, demo CA projects, information sharing, etc
14 Where to watch –middleware.internet2.edu/hepki-tag – –middleware.internet2.edu/hepki-tag/smime – PKI for Networked Higher –PKI Labs middleware.internet2.edu/pkilabs